| Author | Messages | |
RichardKline
Posts:10
 | | 02/18/2008 9:46 AM |
| I was hoping that someone might point me to an article or two or three.
First of all, please don't yell me at me J I know that this is a bad
idea.
Background:
I work for a medium-size organization (9,000 workstations or so).
There is a partially implemented plan to move DNS services away from the
native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX
DNS team. I'm not concerned about the UNIX server but the non-BIND
aspect leaves me queasy. Especially since WINS will mask the
problems and enable a crippled DNS to give the appearance of working.
The articles which I've seen on the this subject focus from the view
"These are the are the mechanics necessary to make this happen
correctly" and discuss the need of workstations to find servers. The
non-BIND DNS team believe that they can cover these needs without
enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon
workstations and users if a non-BIND DNS structure was enacted and WINS
was not available? Not necessarily a technical article which describes
low-level interactions but that non-technical policy makers can read
without a glossary and/or interpreter. A good proportion of my target
audience are mainframers and those who use servers for FTP and SMTP
operations.
Perhaps I'm wrong, but it seems obvious that little things like Policy
replication, Exchange Server to Outlook client notifications,
peer-to-peer operations of all sorts just won't work very well. The
recent series on free-bsd DNS use sorta flirted with these issues
but...
Thank you for your time.
Richard
| | | |
| bdesmond
Posts:366
| | 02/18/2008 10:06 AM |
| It doesn't really matter whether it's BIND or some other flavor of DNS...
I'm not sure why this would affect anything on your punch list at the bottom, honestly. Either lookups are working with this new system you have or they aren't. Hopefully DDNS is enabled at least for your DCs or else you are making sure the records are refreshed manually as necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or three.
First of all, please don't yell me at me  I know that this is a bad idea.
Background:
I work for a medium-size organization (9,000 workstations or so). There is a partially implemented plan to move DNS services away from the native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX DNS team. I'm not concerned about the UNIX server but the non-BIND aspect leaves me queasy. Especially since WINS will mask the problems and enable a crippled DNS to give the appearance of working.
The articles which I've seen on the this subject focus from the view "These are the are the mechanics necessary to make this happen correctly" and discuss the need of workstations to find servers. The non-BIND DNS team believe that they can cover these needs without enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon workstations and users if a non-BIND DNS structure was enacted and WINS was not available? Not necessarily a technical article which describes low-level interactions but that non-technical policy makers can read without a glossary and/or interpreter. A good proportion of my target audience are mainframers and those who use servers for FTP and SMTP operations.
Perhaps I'm wrong, but it seems obvious that little things like Policy replication, Exchange Server to Outlook client notifications, peer-to-peer operations of all sorts just won't work very well. The recent series on free-bsd DNS use sorta flirted with these issues but...
Thank you for your time.
Richard
| | | |
| RichardKline
Posts:10
| | 02/18/2008 10:16 AM |
| The servers would be represented in the static DNS but not all of the
workstations. And of the workstations, the DNS names would not be the
computer names used for AD registration but rather a generic designation
like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from
server to client, correct? Again, I'm pretending that WINS doesn't
exist so as to separate their impact.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, February 18, 2008 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
It doesn't really matter whether it's BIND or some other flavor of
DNS...
I'm not sure why this would affect anything on your punch list at the
bottom, honestly. Either lookups are working with this new system you
have or they aren't. Hopefully DDNS is enabled at least for your DCs or
else you are making sure the records are refreshed manually as
necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or three.
First of all, please don't yell me at me J I know that this is a bad
idea.
Background:
I work for a medium-size organization (9,000 workstations or so).
There is a partially implemented plan to move DNS services away from the
native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX
DNS team. I'm not concerned about the UNIX server but the non-BIND
aspect leaves me queasy. Especially since WINS will mask the
problems and enable a crippled DNS to give the appearance of working.
The articles which I've seen on the this subject focus from the view
"These are the are the mechanics necessary to make this happen
correctly" and discuss the need of workstations to find servers. The
non-BIND DNS team believe that they can cover these needs without
enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon
workstations and users if a non-BIND DNS structure was enacted and WINS
was not available? Not necessarily a technical article which describes
low-level interactions but that non-technical policy makers can read
without a glossary and/or interpreter. A good proportion of my target
audience are mainframers and those who use servers for FTP and SMTP
operations.
Perhaps I'm wrong, but it seems obvious that little things like Policy
replication, Exchange Server to Outlook client notifications,
peer-to-peer operations of all sorts just won't work very well. The
recent series on free-bsd DNS use sorta flirted with these issues
but...
Thank you for your time.
Richard
| | | |
| jw1
Posts:0
| | 02/18/2008 10:32 AM |
| Correct - but there's not generally a requirement for server to be able to lookup a specific name for the client. Computer account would only need to match the non-BIND DNS for things like Kerberos SPNs, for member servers and such.
There's nothing about the statements for non-MSFT DNS that requires BIND. You'll just have a harder time finding examples or support.
--James
--James
-----Original Message-----
From: "Richard Kline" <richard@rkline.net>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 2/18/08 9:14 AM
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the
workstations. And of the workstations, the DNS names would not be the
computer names used for AD registration but rather a generic designation
like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from
server to client, correct? Again, I'm pretending that WINS doesn't
exist so as to separate their impact.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, February 18, 2008 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
It doesn't really matter whether it's BIND or some other flavor of
DNS...
I'm not sure why this would affect anything on your punch list at the
bottom, honestly. Either lookups are working with this new system you
have or they aren't. Hopefully DDNS is enabled at least for your DCs or
else you are making sure the records are refreshed manually as
necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or three.
First of all, please don't yell me at me J I know that this is a bad
idea.
Background:
I work for a medium-size organization (9,000 workstations or so).
There is a partially implemented plan to move DNS services away from the
native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX
DNS team. I'm not concerned about the UNIX server but the non-BIND
aspect leaves me queasy. Especially since WINS will mask the
problems and enable a crippled DNS to give the appearance of working.
The articles which I've seen on the this subject focus from the view
"These are the are the mechanics necessary to make this happen
correctly" and discuss the need of workstations to find servers. The
non-BIND DNS team believe that they can cover these needs without
enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon
workstations and users if a non-BIND DNS structure was enacted and WINS
was not available? Not necessarily a technical article which describes
low-level interactions but that non-technical policy makers can read
without a glossary and/or interpreter. A good proportion of my target
audience are mainframers and those who use servers for FTP and SMTP
operations.
Perhaps I'm wrong, but it seems obvious that little things like Policy
replication, Exchange Server to Outlook client notifications,
peer-to-peer operations of all sorts just won't work very well. The
recent series on free-bsd DNS use sorta flirted with these issues
but...
Thank you for your time.
Richard
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
| neilruston
Posts:153
| | 02/18/2008 10:37 AM |
| FWIW I have implemented a 10,000+ seat deployment where:
1. Workstations did not register A nor PTR records in DNS
2. Workstations did not register with the browser service
3. DNS was hosted on a non-Windows platform
If a machine needs to lookup a resource hosted on a workstation:
1. Ask why!!
2. Add static A and PTR records
So long as DNS supports SRV records and DDNS, you should be fine.
Why not test / pilot the proposal and see what breaks
neil
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: 18 February 2008 15:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the workstations. And of the workstations, the DNS names would not be the computer names used for AD registration but rather a generic designation like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from server to client, correct? Again, I'm pretending that WINS doesn't exist so as to separate their impact.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, February 18, 2008 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
It doesn't really matter whether it's BIND or some other flavor of DNS...
I'm not sure why this would affect anything on your punch list at the bottom, honestly. Either lookups are working with this new system you have or they aren't. Hopefully DDNS is enabled at least for your DCs or else you are making sure the records are refreshed manually as necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or three.
First of all, please don't yell me at me I know that this is a bad idea.
Background:
I work for a medium-size organization (9,000 workstations or so). There is a partially implemented plan to move DNS services away from the native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX DNS team. I'm not concerned about the UNIX server but the non-BIND aspect leaves me queasy. Especially since WINS will mask the problems and enable a crippled DNS to give the appearance of working.
The articles which I've seen on the this subject focus from the view "These are the are the mechanics necessary to make this happen correctly" and discuss the need of workstations to find servers. The non-BIND DNS team believe that they can cover these needs without enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon workstations and users if a non-BIND DNS structure was enacted and WINS was not available? Not necessarily a technical article which describes low-level interactions but that non-technical policy makers can read without a glossary and/or interpreter. A good proportion of my target audience are mainframers and those who use servers for FTP and SMTP operations.
Perhaps I'm wrong, but it seems obvious that little things like Policy replication, Exchange Server to Outlook client notifications, peer-to-peer operations of all sorts just won't work very well. The recent series on free-bsd DNS use sorta flirted with these issues but...
Thank you for your time.
Richard
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| RichardKline
Posts:10
| | 02/18/2008 10:47 AM |
| So... I've been misunderstanding something very basic -- it's bothering me.
Please bear with me while I receive some remedial training.
So for a computer policy to be "pushed" from the domain controller, the client must first contact the DC? The DCs don't actually push?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James Arthur
Sent: Monday, February 18, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
Correct - but there's not generally a requirement for server to be able to lookup a specific name for the client. Computer account would only need to match the non-BIND DNS for things like Kerberos SPNs, for member servers and such.
There's nothing about the statements for non-MSFT DNS that requires BIND. You'll just have a harder time finding examples or support.
--James
--James
-----Original Message-----
From: "Richard Kline" <richard@rkline.net>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 2/18/08 9:14 AM
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the
workstations. And of the workstations, the DNS names would not be the
computer names used for AD registration but rather a generic designation
like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from
server to client, correct? Again, I'm pretending that WINS doesn't
exist so as to separate their impact.
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| neilruston
Posts:153
| | 02/18/2008 10:52 AM |
| ... it's a pull and not a push. How would the DC know which clients to push to?? Which are powered up? Which meet the WMI policy filter? Etc etc.
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: 18 February 2008 15:46
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
So... I've been misunderstanding something very basic -- it's bothering me.
Please bear with me while I receive some remedial training.
So for a computer policy to be "pushed" from the domain controller, the client must first contact the DC? The DCs don't actually push?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James Arthur
Sent: Monday, February 18, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
Correct - but there's not generally a requirement for server to be able to lookup a specific name for the client. Computer account would only need to match the non-BIND DNS for things like Kerberos SPNs, for member servers and such.
There's nothing about the statements for non-MSFT DNS that requires BIND. You'll just have a harder time finding examples or support.
--James
--James
-----Original Message-----
From: "Richard Kline" <richard@rkline.net>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 2/18/08 9:14 AM
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the
workstations. And of the workstations, the DNS names would not be the
computer names used for AD registration but rather a generic designation
like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from
server to client, correct? Again, I'm pretending that WINS doesn't
exist so as to separate their impact.
��b��!��� 0i�b��b��������)ĸ��P���i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| bdesmond
Posts:366
| | 02/18/2008 10:57 AM |
| Right. There's no push involved with AD really it's all pull.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 10:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
So... I've been misunderstanding something very basic -- it's bothering me.
Please bear with me while I receive some remedial training.
So for a computer policy to be "pushed" from the domain controller, the client must first contact the DC? The DCs don't actually push?
-----Original Message-----
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Wells, James Arthur
Sent: Monday, February 18, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
Correct - but there's not generally a requirement for server to be able to lookup a specific name for the client. Computer account would only need to match the non-BIND DNS for things like Kerberos SPNs, for member servers and such.
There's nothing about the statements for non-MSFT DNS that requires BIND. You'll just have a harder time finding examples or support.
--James
--James
-----Original Message-----
From: "Richard Kline" <richard@rkline.net>
To: "ActiveDir@mail.activedir.org" <ActiveDir@mail.activedir.org>
Sent: 2/18/08 9:14 AM
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the
workstations. And of the workstations, the DNS names would not be the
computer names used for AD registration but rather a generic designation
like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from
server to client, correct? Again, I'm pretending that WINS doesn't
exist so as to separate their impact.
��b��!��� 0i�b��b��������)ĸ��P���i��0��-�����+����@A�)ĸ���܆+ކ�i��0��-�����+����ןj�mj�q
.+-��0������j�q.+-��0�����ˊ�E��Kj�!i�b��b����ןj�m | | | |
| neilruston
Posts:153
| | 02/18/2008 11:02 AM |
| WINS if name used; ARP if IP address used
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: 18 February 2008 15:52
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
More remedial education...
What mechanism makes it possible to find a workstation to remotely inspect event logs?
Thank you.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: Monday, February 18, 2008 10:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
FWIW I have implemented a 10,000+ seat deployment where:
1. Workstations did not register A nor PTR records in DNS
2. Workstations did not register with the browser service
3. DNS was hosted on a non-Windows platform
If a machine needs to lookup a resource hosted on a workstation:
1. Ask why!!
2. Add static A and PTR records
So long as DNS supports SRV records and DDNS, you should be fine.
Why not test / pilot the proposal and see what breaks
neil
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| davewade
Posts:44
| | 02/18/2008 11:12 AM |
| I guess that if you can't do a DNS lookup on a client the the following
may either fail or generate broadcast traffic.
If you use SMS remote support tools,
if you have printers shared off workstations,
Other remote management tools may fail.
It will be fun tracking DOS attacks from workstations where some one
logs in with a bad password 5 times.
Of course WINS may help, but we have started disabling WINS on our
laptops
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of
neil.ruston@barclayswealth.com
Sent: 18 February 2008 15:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
FWIW I have implemented a 10,000+ seat deployment where:
1. Workstations did not register A nor PTR records in DNS
2. Workstations did not register with the browser service
3. DNS was hosted on a non-Windows platform
If a machine needs to lookup a resource hosted on a workstation:
1. Ask why!!
2. Add static A and PTR records
So long as DNS supports SRV records and DDNS, you should be
fine.
Why not test / pilot the proposal and see what breaks :-)
neil
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: 18 February 2008 15:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all
of the workstations. And of the workstations, the DNS names would not
be the computer names used for AD registration but rather a generic
designation like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not
from server to client, correct? Again, I'm pretending that WINS
doesn't exist so as to separate their impact.
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, February 18, 2008 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
It doesn't really matter whether it's BIND or some other flavor
of DNS...
I'm not sure why this would affect anything on your punch list
at the bottom, honestly. Either lookups are working with this new system
you have or they aren't. Hopefully DDNS is enabled at least for your DCs
or else you are making sure the records are refreshed manually as
necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or
three.
First of all, please don't yell me at me :-) I know that this
is a bad idea.
Background:
I work for a medium-size organization (9,000 workstations or
so). There is a partially implemented plan to move DNS services away
from the native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with
the UNIX DNS team. I'm not concerned about the UNIX server but the
non-BIND aspect leaves me queasy. Especially since WINS will mask
the problems and enable a crippled DNS to give the appearance of
working.
The articles which I've seen on the this subject focus from the
view "These are the are the mechanics necessary to make this happen
correctly" and discuss the need of workstations to find servers. The
non-BIND DNS team believe that they can cover these needs without
enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact
upon workstations and users if a non-BIND DNS structure was enacted and
WINS was not available? Not necessarily a technical article which
describes low-level interactions but that non-technical policy makers
can read without a glossary and/or interpreter. A good proportion of
my target audience are mainframers and those who use servers for FTP and
SMTP operations.
Perhaps I'm wrong, but it seems obvious that little things like
Policy replication, Exchange Server to Outlook client notifications,
peer-to-peer operations of all sorts just won't work very well. The
recent series on free-bsd DNS use sorta flirted with these issues
but...
Thank you for your time.
Richard
________________________________
Barclays Wealth is the wealth management division of Barclays
Bank PLC. This email may relate to or be sent from other members of the
Barclays Group.
The availability of products and services may be limited by the
applicable laws and regulations in certain jurisdictions. The Barclays
Group does not normally accept or offer business instructions via
internet email. Any action that you might take upon this message might
be at your own risk.
This e-mail and any attachments are confidential and intended
solely for the addressee and may also be privileged or exempt from
disclosure under applicable law. If you are not the addressee, or have
received this e-mail in error, please notify the sender immediately,
delete it from your system and do not copy, disclose or otherwise act
upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or
virus-free. The Barclays Group does not accept responsibility for any
loss arising from unauthorised access to, or interference with, any
Internet communications by any third party, or from the transmission of
any viruses. Replies to this e-mail may be monitored by the Barclays
Group for operational or business reasons.
Any opinion or other information in this e-mail or its
attachments that does not relate to the business of the Barclays Group
is personal to the sender and is not given or endorsed by the Barclays
Group.
Barclays Bank PLC. Registered in England and Wales (registered
no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United
Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial
Services Authority.
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
| | | |
| neilruston
Posts:153
| | 02/18/2008 11:22 AM |
|
I guess that if you can't do a DNS lookup on a client the the following may either fail or generate broadcast traffic.
*** True. I didn't suggest the approach would work for all
If you use SMS remote support tools,
*** Not a req
if you have printers shared off workstations,
*** Not permitted
Other remote management tools may fail.
*** All tested and no issues
It will be fun tracking DOS attacks from workstations where some one logs in with a bad password 5 times.
*** Sec Mon tool used
Of course WINS may help, but we have started disabling WINS on our laptops
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: 18 February 2008 15:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
FWIW I have implemented a 10,000+ seat deployment where:
1. Workstations did not register A nor PTR records in DNS
2. Workstations did not register with the browser service
3. DNS was hosted on a non-Windows platform
If a machine needs to lookup a resource hosted on a workstation:
1. Ask why!!
2. Add static A and PTR records
So long as DNS supports SRV records and DDNS, you should be fine.
Why not test / pilot the proposal and see what breaks
neil
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: 18 February 2008 15:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the workstations. And of the workstations, the DNS names would not be the computer names used for AD registration but rather a generic designation like .... SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from server to client, correct? Again, I'm pretending that WINS doesn't exist so as to separate their impact.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, February 18, 2008 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
It doesn't really matter whether it's BIND or some other flavor of DNS...
I'm not sure why this would affect anything on your punch list at the bottom, honestly. Either lookups are working with this new system you have or they aren't. Hopefully DDNS is enabled at least for your DCs or else you are making sure the records are refreshed manually as necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or three.
First of all, please don't yell me at me I know that this is a bad idea.
Background:
I work for a medium-size organization (9,000 workstations or so). There is a partially implemented plan to move DNS services away from the native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX DNS team. I'm not concerned about the UNIX server but the non-BIND aspect leaves me queasy. Especially since WINS will mask the problems and enable a crippled DNS to give the appearance of working.
The articles which I've seen on the this subject focus from the view "These are the are the mechanics necessary to make this happen correctly" and discuss the need of workstations to find servers. The non-BIND DNS team believe that they can cover these needs without enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon workstations and users if a non-BIND DNS structure was enacted and WINS was not available? Not necessarily a technical article which describes low-level interactions but that non-technical policy makers can read without a glossary and/or interpreter. A good proportion of my target audience are mainframers and those who use servers for FTP and SMTP operations.
Perhaps I'm wrong, but it seems obvious that little things like Policy replication, Exchange Server to Outlook client notifications, peer-to-peer operations of all sorts just won't work very well. The recent series on free-bsd DNS use sorta flirted with these issues but...
Thank you for your time.
Richard
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
| | | |
| deji
Posts:140
| | 02/18/2008 12:58 PM |
| >>>
Other remote management tools may fail.
*** All tested and no issues
IF your clients don't register A or PTR in DNS (and you didn't indicate whether WINS is in use), then how are they found by your management tool, especially in your 10,000 seat environ?
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com [neil.ruston@barclayswealth.com]
Sent: Monday, February 18, 2008 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
I guess that if you can't do a DNS lookup on a client the the following may either fail or generate broadcast traffic.
*** True. I didn’t suggest the approach would work for all
If you use SMS remote support tools,
*** Not a req
if you have printers shared off workstations,
*** Not permitted
Other remote management tools may fail.
*** All tested and no issues
It will be fun tracking DOS attacks from workstations where some one logs in with a bad password 5 times.
*** Sec Mon tool used
Of course WINS may help, but we have started disabling WINS on our laptops
Dave Wade
Business Services I.C.T.
0161 474 5456
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of neil.ruston@barclayswealth.com
Sent: 18 February 2008 15:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
FWIW I have implemented a 10,000+ seat deployment where:
1. Workstations did not register A nor PTR records in DNS
2. Workstations did not register with the browser service
3. DNS was hosted on a non-Windows platform
If a machine needs to lookup a resource hosted on a workstation:
1. Ask why!!
2. Add static A and PTR records
So long as DNS supports SRV records and DDNS, you should be fine.
Why not test / pilot the proposal and see what breaks
neil
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: 18 February 2008 15:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
The servers would be represented in the static DNS but not all of the workstations. And of the workstations, the DNS names would not be the computer names used for AD registration but rather a generic designation like …. SubnetxxxLastOctetxxx
So DNS lookup from the client to the servers should work but not from server to client, correct? Again, I’m pretending that WINS doesn’t exist so as to separate their impact.
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Brian Desmond
Sent: Monday, February 18, 2008 10:05 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD using non-BIND DNS
It doesn’t really matter whether it’s BIND or some other flavor of DNS…
I’m not sure why this would affect anything on your punch list at the bottom, honestly. Either lookups are working with this new system you have or they aren’t. Hopefully DDNS is enabled at least for your DCs or else you are making sure the records are refreshed manually as necessary.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Richard Kline
Sent: Monday, February 18, 2008 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD using non-BIND DNS
I was hoping that someone might point me to an article or two or three.
First of all, please don’t yell me at me I know that this is a bad idea.
Background:
I work for a medium-size organization (9,000 workstations or so). There is a partially implemented plan to move DNS services away from the native W2k3 DNS into a non-Bind enabled UNIX based DNS servers.
I very recently heard of the plan and am opening a dialog with the UNIX DNS team. I’m not concerned about the UNIX server but the non-BIND aspect leaves me queasy. Especially since WINS will mask the problems and enable a crippled DNS to give the appearance of working.
The articles which I’ve seen on the this subject focus from the view “These are the are the mechanics necessary to make this happen correctly” and discuss the need of workstations to find servers. The non-BIND DNS team believe that they can cover these needs without enabling BIND. [personal belief statements deleted].
Question:
Does anyone know of any articles which would describe the impact upon workstations and users if a non-BIND DNS structure was enacted and WINS was not available? Not necessarily a technical article which describes low-level interactions but that non-technical policy makers can read without a glossary and/or interpreter. A good proportion of my target audience are mainframers and those who use servers for FTP and SMTP operations.
Perhaps I’m wrong, but it seems obvious that little things like Policy replication, Exchange Server to Outlook client notifications, peer-to-peer operations of all sorts just won’t work very well. The recent series on free-bsd DNS use sorta flirted with these issues but…
Thank you for your time.
Richard
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.
If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.
Thank you.
http://www.stockport.gov.uk
**********************************************************************
________________________________
Barclays Wealth is the wealth management division of Barclays Bank PLC. This email may relate to or be sent from other members of the Barclays Group.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions. The Barclays Group does not normally accept or offer business instructions via internet email. Any action that you might take upon this message might be at your own risk.
This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments.
Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons.
Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group.
Barclays Bank PLC. Registered in England and Wales (registered no. 1026167).
Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
Barclays Bank PLC is authorised and regulated by the Financial Services Authority.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|